Implementation of New Security Primitive using Captcha As

www.ijsetr.com

ISSN 2319-8885

Vol.04,Issue.18,

June-2015,

Pages:3464-3470

Copyright @ 2015 IJSETR. All rights reserved.

Implementation of New Security Primitive using Captcha As Graphical

Passwords Based On Hard AI Problems M. MOHAMMED IMRAN

1, K. GOVARDHAN REDDY

2

1PG Scholar, Dept of CSE, Kottam Karunakara Reddy Institute of Technology, Kurnool, AP, India,

Email: [email protected]. 2Professor, Dept of CSE, Kottam Karunakara Reddy Institute of Technology, Kurnool, AP, India.

Abstract: Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging

as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI

problems, namely, a novel family of graphical password systems built on top of Captcha technology, which we call Captcha as

graphical passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security

problems altogether, such as online guessing attacks, relay attacks, and, if combined with dual-view technologies, shoulder-

surfing attacks. Notably, a CaRP password can be found only probabilistically by automatic online guessing attacks even if the

password is in the search set. CaRP also offers a novel approach to address the well-known image hotspot problem in popular

graphical password systems, such as Pass Points, that often leads to weak password choices. CaRP is not a panacea, but it offers

reasonable security and usability and appears to fit well with some practical applications for improving online security.

Keywords: Graphical Password, Password, Hotspots, Carp, Captcha, Dictionary Attack, Password Guessing Attack.

I. INTRODUCTION A Captcha is a program that can generate and grade tests

that: (A) most humans can pass, but (B) current computer

programs can't pass. Such a program can be used to

differentiate humans from computers and has many

applications for practical security, including (but not limited

to):

Online Polls: In November 1999, slashdot.com released an

online poll asking which was the best graduate school in

computer science (a dangerous question to ask over the web)

As is the case with most online polls, IP addresses of voters

were recorded in order to prevent single users from voting

more than once. However, students at Carnegie Mellon found

a way to stuff the ballots by using programs that voted for

CMU thousands of times. CMU's score started growing

rapidly. The next day, students at MIT wrote their own

voting program and the poll became a contest between voting

\bots". MIT finished with 21,156 votes, Carnegie Mellon

with 21,032 and every other school with less than 1,000. Can

the result of any online poll be trusted? Not unless the poll

requires that only humans can vote.

Free Email Services: Several companies(Yahoo!, Microsoft,

etc.) offer free email services, most of which suffer from a

specific type of attack: \bots" that sign up for thousands of

email accounts every minute. This situation can be improved

by requiring users to prove they are human before they can

get a free email account. Yahoo!, for instance, uses a Captcha

of our design to prevent bots from registering for accounts.

Their Captcha asks users to read a distorted word such as the

one shown below (current computer programs are not as

good as humans at reading distorted text).

A. Lazy Cryptographers Doing AI

Note that from a mechanistic point of view, there is no

way to prove that a program cannot pass a test which a

human can pass, since there is a program |the human brain |

which passes the test. All we can do is to present evidence

that it's hard to write a program that can pass the test. In this

paper, we take an approach familiar to cryptographers:

investigate state-of-the-art algorithmic developments having

to do with some problem, assume that the adversary does not

have algorithms for that problem that are much better than

the state-of-the-art algorithms, and then prove a reduction

between passing a test and exceeding the performance of

state-of-the-art algorithms. In the case of ordinary

cryptography, it is assumed (for example) that the adversary

cannot factor 1024-bit integers in any reasonable amount of

time. In our case, we assume that the adversary cannot solve

an Artificial Intelligence problem with higher accuracy than

what's currently known to the AI community. This approach,

if it achieves widespread adoption, has the beneficial side

effect of inducing security researchers, as well as otherwise

malicious programmers, to advance the field of AI (much

like computational number theory has been advanced since

the advent of modern cryptography).

An important component of the success of modern

cryptography is the practice of stating, very precisely and

M. MOHAMMED IMRAN, K. GOVARDHAN REDDY

International Journal of Scientific Engineering and Technology Research

Volume.04, IssueNo.18, June-2015, Pages: 3464-3470

clearly, the assumptions under which cryptographic protocols

are secure. This allows the rest of the community to evaluate

the assumptions and to attempt to break them. In the case of

Artificial Intelligence, it's rare for problems to be precisely

stated, but using them for security purposes forces protocol

designers to do so. We believe that precisely stating unsolved

AI problems can accelerate the development of Artificial

Intelligence: most AI problems that have been precisely

stated and publicized have eventually been solved (take chess

as an example). For this reason it makes practical sense for

AI problems that are used for security purposes to also be

useful. If the under-lying AI problem is useful, a Captcha

implies a win-win situation: either the Captcha is not broken

and there is a way to differentiate humans from computers, or

the Captcha is broken and a useful AI problem is solved.

Such is not the case for most other cryptographic

assumptions: the primary reason algorithms for factoring

large numbers are useful is because factoring has applications

in cryptanalysis. In this paper we will present constructions

of Captcha based on certain AI problems and we will show

that solving the Captcha implies solving the AI problems.

The AI problems we chose have several applications, and we

will show that solutions to them can be used, among other

things, for steganography communication.

Computer security (Also known as cyber security or IT

Security) is information security as applied to computers and

networks. The field covers all the processes and mechanisms

by which computer-based equipment, information and

services are protected from unintended or unauthorized

access, change or destruction. Computer security also

includes protection from unplanned events and natural

disasters. Otherwise, in the computer industry, the term

security or the phrase computer security refers to techniques

for ensuring that data stored in a computer cannot be read or

compromised by any individuals without authorization. Most

computer security measures involve data encryption and

passwords. Data encryption is the translation of data into a

form that is unintelligible without a deciphering mechanism.

A password is a secret word or phrase that gives a

user access to a particular program or system.

Fig.1.

Diagram clearly explains the about the secure computing

Working conditions and basic needs in the secure computing:

If you don't take basic steps to protect your work computer,

you put it and all the information on it at risk. You can

potentially compromise the operation of other computers on

your organization's network, or even the functioning of the

network as a whole.

1. Physical Security: Technical measures like login

passwords, anti-virus are essential. (More about those

below) However, a secure physical space is the first and

more important line of defense. Is the place you keep your

workplace computer secure enough to prevent theft or access

to it while you are away? While the Security

Department provides coverage across the Medical center, it

only takes seconds to steal a computer, particularly a

portable device like a laptop or a PDA. A computer should

be secured like any other valuable possession when you are

not present. Human threats are not the only concern.

Computers can be compromised by environmental mishaps

(e.g., water, coffee) or physical trauma. Make sure the

physical location of your computer takes account of those

risks as well.

2. Access Passwords: The University's networks and shared

information systems are protected in part by login credentials

(user-IDs and passwords). Access passwords are also an

essential protection for personal computers in most

circumstances. Offices are usually open and shared spaces,

so physical access to computers cannot be completely

controlled. To protect your computer, you should consider

setting passwords for particularly sensitive applications

resident on the computer (e.g., data analysis software), if the

software provides that capability.

3. Prying Eye Protection: Because we deal with all facets of

clinical, research, educational and administrative data here on

the medical campus, it is important to do everything possible

to minimize exposure of data to unauthorized individuals.

4. Anti-Virus Software: Up-to-date, properly config-

ured anti-virus software is essential. While we have server-

side anti-virus software on our network computers, you still

need it on the client side (your computer).

5. Firewalls: Anti-virus products inspect files on your

computer and in email. Firewall software and hardware

monitor communications between your computer and the

outside world. That is essential for any networked computer.

6. Software Updates: It is critical to keep software up to

date, especially the operating system, anti-virus and anti-

spyware, email and browser software. The newest versions

will contain fixes for discovered vulnerabilities. Almost all

anti-virus have automatic update features (including SAV).

Keeping the "signatures" (digital patterns) of malicious

software detectors up-to-date is essential for these products to

be effective.

7. Keep Secure Backups: Even if you take all these security

steps, bad things can still happen. Be prepared for the worst

by making backup copies of critical data, and keeping those

backup copies in a separate, secure location. For example,

use supplemental hard drives, CDs/DVDs, or flash drives to

store critical, hard-to-replace data.

http://it.med.miami.edu/x929.xml

Implementation of New Security Primitive using Captcha As Graphical Passwords Based On Hard Ai Problems



8. Report Problems: If you believe that your computer or

any data on it has been compromised, your should make

a information security incident report. That is required

by University policy for all data on our systems, and legally

required for health, education, financial and any other kind of

record containing identifiable personal information.

II. AI PROBLEMS AS SECURITY PRIMITIVES

Notice that we define hard in terms of the consensus of a

community: an AI problem is said to be hard if the people

working on it agree that it's hard. This notion should not be

surprising to cryptographers: the security of most modern

cryptosystems is based on assumptions agreed upon by the

community (e.g., we assume that 1024-bit integers can't be

factored). The concept of a hard AI problem as a

foundational assumption, of course, is more questionable

than P ≠ NP, since many people in the AI community agree

that all hard AI problems are eventually going to be solved.

However, hard AI problems may be a more reasonable

assumption than the hardness of factoring, given the

possibility of constructing a quantum computer. Moreover,

even if factoring is shown to be hard in an asymptotic sense,

picking a concrete value for the security parameter usually

means making an assumption about current factoring

algorithms: we only assume that current factoring algorithms

that run in current computers can't factor 1024-bit integers. In

the same way that AI researchers believe that all AI problems

will be solved eventually, we believe that at some point we

will have the computational power and algorithmic ability to

factor 1024-bit integers. (Shamir and for instance, have

proposed a machine that could factor 1024-bit integers; the

machine would cost about ten million dollars in materials.)

An important difference between popular cryptographic

primitives and AI problems is the notion of a security

parameter. If we believe that an adversary can factor 1024-bit

integers, we can use 2048-bit integers instead. No such

concept exists in hard AI problems. AI problems, as we have

defined them, do not deal with asymptotic. However, as long

as there is a small gap between human and computer ability

with respect to some problem, this problem can potentially be

used as a primitive for security: rather than asking the prover

to solve the problem once, we can ask it to solve the problem

twice. If the prover gets good at solving the problem twice,

we can ask it to solve the problem three times, etc. There is

an additional factor that simplifies the use of hard AI

problems as security primitives. Most applications of

Captcha require the tests to be answered within a short time

after they are presented. If a new program solves the hard AI

problems that are currently used, then a different set of

problems can be used, and the new program cannot affect the

security of applications that were run before it was

developed. Compare this to encryption schemes: in many

applications the information that is encrypted must remain

confidential for years, and therefore the underlying problem

must be hard against programs that run for a long time, and

against programs that will be developed in the future. We

also note that not all hard AI problems can be used to

construct a Captcha.

In order for an AI problem to be useful for security

purposes, there needs to be an automated way to generate

problem instances along with their solution. The case is

similar for computational problems: not all hard

computational problems yield cryptographic primitives.

Our definitions imply that an adversary attempting to write a

program that has high success over a Captcha knows exactly

how the Captcha works. The only piece of information that is

hidden from the adversary is a small amount of randomness

that the verifier uses in each interaction. This choice greatly

affects the nature of our definitions and makes the problem of

creating Captcha more challenging. Imagine an Automated

Turing Test that owns a large secret book written in English

and to test an entity A it either picks a paragraph from its

secret book or generates a paragraph using the best known

text-generation algorithm, and then asks A whether the

paragraph makes sense (the best text-generation algorithms

cannot produce an entire para-graph that would make sense

to a human being). Such an Automated Turing Test might be

able to distinguish humans from computers (it is usually the

case that the best text-generation algorithms and the best

algorithms that try to determine whether something makes

sense are tightly related). However, this test cannot be a

Captcha: an adversary with knowledge of the secret book

could achieve high success against this test without

advancing the algorithmic state of the art. We do not allow

Captcha to base their security in the secrecy of a database or

a piece of code.

III. IMPLEMENTATION

A. Modules

Graphical Password

Captcha in Authentication

Overcoming Thwart Guessing Attacks

Security of Underlying Captcha

1. Graphical Password: In this module, Users are having

authentication and security to access the detail which is

presented in the Image system. Before accessing or searching

the details user should have the account in that otherwise

they should register first.

2. Captcha in Authentication: In this module we use both

Captcha and password in a user authentication protocol,

which we call Captcha-based Password Authentication

(CbPA) protocol, to counter online dictionary attacks. The

CbPA-protocol in requires solving a Captcha challenge after

inputting a valid pair of user ID and password unless a valid

browser cookie is received. For an invalid pair of user ID and

password, the user has a certain probability to solve a

Captcha challenge before being denied access.

3. Overcoming Thwart Guessing Attacks: In a guessing

attack, a password guess tested in an unsuccessful trial is

determined wrong and excluded from subsequent trials. The

number of undetermined password guesses decreases with

more trials, leading to a better chance of finding the

password. To counter guessing attack, traditional approaches

in designing graphical passwords aim at increasing the

effective password space to make passwords harder to guess

and thus require more trials. No matter how secure a

graphical password scheme is, the password can always be

found by a brute force attack. In this paper, we distinguish

two types of guessing attacks: automatic guessing attacks




apply an automatic trial and error process but S can be

manually constructed whereas human guessing attacks apply

a manual trial and error process.

4.Security of Underlying Captcha: Computational intract-

ability in recognizing objects in CaRP images is fundamental

to CaRP. Existing analyses on Captcha security were mostly

case by case or used an approximate process. No theoretic

security model has been established yet. Object segmentation

is considered as a computationally expensive, combinatorial-

hard problem, which modern text Captcha schemes rely on.

Fig.2. User Registration.

Fig.3. Admin Login.

Fig.4. Admin Activating User.

Fig.5. User Login (enter user name).

Fig.6. User Login (enter password & Captcha code).

Fig.7. User Upload (click image & upload).




Fig.8. User Download.

Fig.9. User Download (click image & download).

Fig.10. If you click invalid coordinates.

Fig.11. When you click correct coordinates.

Fig.12. File downloading.

Fig.13. Viewing Downloaded File.




Fig.14. When user login if he entered invalid Captcha

code means your account will be blocked and alert will

come to your registered mail.

Fig.15. Admin activating blocked user.

IV. CONCLUSION

We have proposed CaRP, a new security primitive

relying on unsolved hard AI problems. CaRP is both a

Captcha and a graphical password scheme. The notion of

CaRP introduces a new family of graphical passwords, which

adopts a new approach to counter online guessing attacks: a

new CaRP image, which is also a Captcha challenge, is used

for every login attempt to make trials of an online guessing

attack computationally independent of each other. A

password of CaRP can be found only probabilistically by

automatic online guessing attacks including brute-force

attacks, a desired security property that other graphical

password schemes lack. Hotspots in CaRP images can no

longer be exploited to mount automatic online guessing

attacks, an inherent vulnerability in many graphical password

systems. CaRP forces adversaries to resort to significantly

less efficient and much more costly human-based attacks. In

addition to offering protection from online guessing attacks,

CaRP is also resistant to Captcha relay attacks, and, if

combined with dual-view technologies, shoulder-surfing

attacks. CaRP can also help reduce spam emails sent from a

Web email service.

Our usability study of two CaRP schemes we have

implemented is encouraging. For example, more participants

considered Animal Grid and Click Text easier to use than

Pass Points and a combination of text password and Captcha.

Both Animal Grid and Click Text had better password memo

ability than the conventional text passwords. On the other

hand, the usability of CaRP can be further improved by using

images of different levels of difficulty based on the login

history of the user and the machine used to log in. The

optimal tradeoff between security and usability remains an

open question for CaRP, and further studies are needed to

refine CaRP for actual deployments. Like Captcha, CaRP

utilizes unsolved AI problems. However, a password is much

more valuable to attackers than a free email account that

Captcha is typically used to protect. Therefore there are more

incentives for attackers to hack CaRP than Captcha. That is,

more efforts will be attracted to the following win-win game

by CaRP than ordinary Captcha: If attackers succeed, they

contribute to improving AI by providing solutions to open

problems such as segmenting 2D texts. Otherwise, our

system stays secure, contributing to practical security. As a

framework, CaRP does not rely on any specific Captcha

scheme. When one Captcha scheme is broken, a new and

more secure one may appear and be converted to a CaRP

scheme. Overall, our work is one step forward in the

paradigm of using hard AI problems for security. Of

reasonable security and usability and practical applications,

CaRP has good potential for refinements, which call for

useful future work. More importantly, we expect CaRP to

inspire new inventions of such AI based security primitives.

V. REFERENCES

[1] R. Biddle, S. Chiasson, and P. C. van Oorschot,

“Graphical passwords: Learning from the first twelve years,”

ACM Comput. Surveys, vol. 44, no. 4, 2012.

[2] (2012, Feb.). The Science Behind Pass faces [Online].

Available:http://www.realuser.com/published/ScienceBehind

Passfaces.pdf.

[3] I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A.

Rubin, “The design and analysis of graphical passwords,” in

Proc. 8th USENIX Security Symp., 1999, pp. 1–15.

[4] H. Tao and C. Adams, “Pass-Go: A proposal to improve

the usability of graphical passwords,” Int. J. Netw. Security,

vol. 7, no. 2, pp. 273–292, 2008.

[5] S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and

N. Memon, “Pass Points: Design and longitudinal evaluation

of a graphical password system,” Int. J. HCI, vol. 63, pp.

102–127, Jul. 2005.

[6] P. C. van Oorschot and J. Thorpe, “On predictive models

and user drawn graphical passwords,” ACM Trans. Inf. Syst.

Security, vol. 10, no. 4, pp. 1–33, 2008.

[7] K. Golofit, “Click passwords under investigation,” in

Proc. ESORICS, 2007, pp. 343–358.

[8] A. E. Dirik, N. Memon, and J.-C. Birget, “Modeling user

choice in the pass point’s graphical password scheme,” in

Proc. Symp. Usable Privacy Security, 2007, pp. 20–28.

http://www.realuser.com/published/ScienceBehind%20Passfaces.pdf

http://www.realuser.com/published/ScienceBehind%20Passfaces.pdf




[9] J. Thorpe and P. C. van Oorschot, “Human-seeded attacks

and exploiting hot spots in graphical passwords,” in Proc.

USENIX Security, 2007, pp. 103–118.

[10] P. C. van Oorschot, A. Salehi-Abari, and J. Thorpe,

“Purely automated attacks on pass points-style graphical

passwords,” IEEE Trans. Inf. Forensics Security, vol. 5, no.

3, pp. 393–405, Sep. 2010.

[11] P. C. van Oorschot and J. Thorpe, “Exploiting

predictability in click based graphical passwords,” J.

Comput. Security, vol. 19, no. 4, pp. 669–702, 2011.

[12] T. Wolverton. (2002, Mar. 26). Hackers Attack eBay

Accounts [Online]. Available: http://www.zdnet.co.uk/

news/networking/2002/03/26/hackers-attack-ebay-accounts-

2107350/.

http://www.zdnet.co.uk/%20news/networking/2002/03/26/hackers-attack-ebay-accounts-2107350/



Documents

Implementation of New Security Primitive using Captcha As